EU Nations Lag in Implementing Law to Fight Cyberattacks

Most European Union countries have missed a deadline to adopt an EU directive aimed at boosting cybersecurity, and have been sent warnings from the European Commission.

The directive is designed to ensure the security of digital networks considered vital to modern society.

The commission sent warning letters to 17 EU countries, telling them to speed their adoption of the directive on the security of network and information systems (NIS Directive, 2016/1148/EU). The deadline was May 9.

The NIS Directive requires authorities in EU countries to take steps to ensure the protection of vital economic activities against cyberattacks. Countries must list operators of essential services in sectors including energy, utilities, banking, transportation, and health care, and to require them to take cybersecurity precautions and notify the authorities of cyberattacks.

The directive also covers search engines, cloud computing services, and online marketplaces, where a cyberattack could potentially affect a large number of users.

The warnings sent to countries July 19 are the first step in proceedings that could end up in the EU Court of Justice. EU countries that fail to put in place the bloc’s laws could be fined, but the great majority of cases are resolved after warnings.

EU countries face another deadline under the NIS Directive—Nov. 9—when they must list companies that would be required to report cyberattacks.

“The biggest topic under the NIS Directive for companies is the notification obligation in case of an incident,” Jörg Hladjk, of counsel with Jones Day in Brussels, told Bloomberg Law July 19. Companies were awaiting the Nov. 9 deadline to know where they stand, he said.

“The quicker there is certainty in the market across EU countries, the better for companies in adjusting or repositioning their compliance programs,” Hladjk said.

The countries targeted by European Commission July 19 warning letters were Austria, Bulgaria, Belgium, Croatia, Denmark, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania and Spain. Countries have two months to respond or face further proceedings.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bloomberglaw.com

To contact the editor responsible for this story: David Mark at dmark@bloomberglaw.com